Detect channel spend by splice transaction

wpaulino · wpaulino · commit 8212264e1d5b · 2025-07-22T09:38:34.000-07:00
A `ChannelMonitor` will always consider a channel closed once a
confirmed spend for the funding transaction is detected. This is no
longer the case with splicing, as the channel will remain open and
capable of accepting updates while its funding transaction is being
replaced.
diff --git a/lightning/src/chain/channelmonitor.rs b/lightning/src/chain/channelmonitor.rs
@@ -496,6 +496,9 @@ impl OnchainEventEntry {
 				// it's broadcastable when we see the previous block.
 				conf_threshold = cmp::max(conf_threshold, self.height + csv as u32 - 1);
 			},
+			OnchainEvent::AlternativeFundingConfirmation { confirmation_depth } => {
+				conf_threshold = cmp::max(conf_threshold, self.height + confirmation_depth - 1);
+			},
 			_ => {},
 		}
 		conf_threshold
@@ -565,6 +568,16 @@ enum OnchainEvent {
 		/// output (and generate a SpendableOutput event).
 		on_to_local_output_csv: Option<u16>,
 	},
+	/// An alternative funding transaction (due to a splice/RBF) has confirmed but is not yet
+	/// locked, invalidating the previous funding transaction. Note that we wait to promote the
+	/// corresponding `FundingScope` until we see a
+	/// [`ChannelMonitorUpdateStep::RenegotiatedFundingLocked`] or if the alternative funding
+	/// transaction is irrevocably confirmed.
+	AlternativeFundingConfirmation {
+		// The confirmation depth negotiated and required for the funding transaction to be
+		// considered locked.
+		confirmation_depth: u32,
+	},
 }
 
 impl Writeable for OnchainEventEntry {
@@ -609,6 +622,9 @@ impl_writeable_tlv_based_enum_upgradable!(OnchainEvent,
 	(1, MaturingOutput) => {
 		(0, descriptor, required),
 	},
+	(2, AlternativeFundingConfirmation) => {
+		(1, confirmation_depth, required),
+	},
 	(3, FundingSpendConfirmation) => {
 		(0, on_local_output_csv, option),
 		(1, commitment_tx_to_counterparty_output, option),
@@ -618,7 +634,6 @@ impl_writeable_tlv_based_enum_upgradable!(OnchainEvent,
 		(2, preimage, option),
 		(4, on_to_local_output_csv, option),
 	},
-
 );
 
 #[derive(Clone, Debug, PartialEq, Eq)]
@@ -677,6 +692,7 @@ pub(crate) enum ChannelMonitorUpdateStep {
 		channel_parameters: ChannelTransactionParameters,
 		holder_commitment_tx: HolderCommitmentTransaction,
 		counterparty_commitment_tx: CommitmentTransaction,
+		confirmation_depth: u32,
 	},
 	RenegotiatedFundingLocked {
 		funding_txid: Txid,
@@ -744,6 +760,7 @@ impl_writeable_tlv_based_enum_upgradable!(ChannelMonitorUpdateStep,
 		(1, channel_parameters, (required: ReadableArgs, None)),
 		(3, holder_commitment_tx, required),
 		(5, counterparty_commitment_tx, required),
+		(7, confirmation_depth, required),
 	},
 	(12, RenegotiatedFundingLocked) => {
 		(1, funding_txid, required),
@@ -1111,7 +1128,7 @@ impl_writeable_tlv_based!(FundingScope, {
 #[derive(Clone, PartialEq)]
 pub(crate) struct ChannelMonitorImpl<Signer: EcdsaChannelSigner> {
 	funding: FundingScope,
-	pending_funding: Vec<FundingScope>,
+	pending_funding: Vec<(FundingScope, u32)>,
 
 	latest_update_id: u64,
 	commitment_transaction_number_obscure_factor: u64,
@@ -1944,7 +1961,9 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitor<Signer> {
 	{
 		let lock = self.inner.lock().unwrap();
 		let logger = WithChannelMonitor::from_impl(logger, &*lock, None);
-		for funding in core::iter::once(&lock.funding).chain(&lock.pending_funding) {
+		for funding in core::iter::once(&lock.funding)
+			.chain(lock.pending_funding.iter().map(|pending_funding| &pending_funding.0))
+		{
 			let funding_outpoint = funding.funding_outpoint();
 			log_trace!(&logger, "Registering funding outpoint {} with the filter to monitor confirmations", &funding_outpoint);
 			let script_pubkey = funding.channel_parameters.make_funding_redeemscript().to_p2wsh();
@@ -3313,8 +3332,11 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitorImpl<Signer> {
 			current_funding_commitment_tx.per_commitment_point(),
 		);
 
-		for (pending_funding, commitment_tx) in
-			self.pending_funding.iter_mut().zip(commitment_txs.iter().skip(1))
+		for (pending_funding, commitment_tx) in self
+			.pending_funding
+			.iter_mut()
+			.map(|pending_funding| &mut pending_funding.0)
+			.zip(commitment_txs.iter().skip(1))
 		{
 			let commitment_txid = commitment_tx.trust().txid();
 			pending_funding.prev_counterparty_commitment_txid =
@@ -3410,8 +3432,9 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitorImpl<Signer> {
 		}
 
 		let mut other_commitment_tx = None::<&CommitmentTransaction>;
-		for (funding, commitment_tx) in
-			core::iter::once(&self.funding).chain(self.pending_funding.iter()).zip(commitment_txs)
+		for (funding, commitment_tx) in core::iter::once(&self.funding)
+			.chain(self.pending_funding.iter().map(|pending_funding| &pending_funding.0))
+			.zip(commitment_txs)
 		{
 			let trusted_tx = &commitment_tx.trust().built_transaction().transaction;
 			if trusted_tx.input.len() != 1 {
@@ -3466,7 +3489,7 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitorImpl<Signer> {
 		self.current_holder_commitment_number = current_funding_commitment_tx.commitment_number();
 		self.onchain_tx_handler.provide_latest_holder_tx(current_funding_commitment_tx.clone());
 		for (funding, mut commitment_tx) in core::iter::once(&mut self.funding)
-			.chain(self.pending_funding.iter_mut())
+			.chain(self.pending_funding.iter_mut().map(|pending_funding| &mut pending_funding.0))
 			.zip(commitment_txs.into_iter())
 		{
 			mem::swap(&mut commitment_tx, &mut funding.current_holder_commitment_tx);
@@ -3674,7 +3697,7 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitorImpl<Signer> {
 		&mut self, logger: &WithChannelMonitor<L>,
 		channel_parameters: &ChannelTransactionParameters,
 		alternative_holder_commitment_tx: &HolderCommitmentTransaction,
-		alternative_counterparty_commitment_tx: &CommitmentTransaction,
+		alternative_counterparty_commitment_tx: &CommitmentTransaction, confirmation_depth: u32,
 	) -> Result<(), ()>
 	where
 		L::Target: Logger,
@@ -3750,7 +3773,7 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitorImpl<Signer> {
 		if self
 			.pending_funding
 			.iter()
-			.any(|funding| funding.funding_txid() == alternative_funding_outpoint.txid)
+			.any(|funding| funding.0.funding_txid() == alternative_funding_outpoint.txid)
 		{
 			log_error!(
 				logger,
@@ -3788,7 +3811,7 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitorImpl<Signer> {
 			alternative_funding_outpoint.txid,
 			vec![(alternative_funding_outpoint.index as u32, script_pubkey)],
 		);
-		self.pending_funding.push(alternative_funding);
+		self.pending_funding.push((alternative_funding, confirmation_depth));
 
 		Ok(())
 	}
@@ -3797,6 +3820,7 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitorImpl<Signer> {
 		let new_funding = self
 			.pending_funding
 			.iter_mut()
+			.map(|pending_funding| &mut pending_funding.0)
 			.find(|funding| funding.funding_txid() == new_funding_txid);
 		if new_funding.is_none() {
 			return Err(());
@@ -3810,7 +3834,7 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitorImpl<Signer> {
 		);
 
 		// The swap above places the previous `FundingScope` into `pending_funding`.
-		for funding in self.pending_funding.drain(..) {
+		for (funding, _) in self.pending_funding.drain(..) {
 			self.outputs_to_watch.remove(&funding.funding_txid());
 		}
 
@@ -3926,11 +3950,13 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitorImpl<Signer> {
 				},
 				ChannelMonitorUpdateStep::RenegotiatedFunding {
 					channel_parameters, holder_commitment_tx, counterparty_commitment_tx,
+					confirmation_depth,
 				} => {
 					log_trace!(logger, "Updating ChannelMonitor with alternative holder and counterparty commitment transactions for funding txid {}",
 						channel_parameters.funding_outpoint.unwrap().txid);
 					if let Err(_) = self.renegotiated_funding(
 						logger, channel_parameters, holder_commitment_tx, counterparty_commitment_tx,
+						*confirmation_depth,
 					) {
 						ret = Err(());
 					}
@@ -4871,6 +4897,51 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitorImpl<Signer> {
 				}
 			}
 
+			// A splice transaction has confirmed. We can't promote the splice's scope until we see
+			// the corresponding monitor update for it, but we track the txid so we know which
+			// holder commitment transaction we may need to broadcast.
+			if let Some((alternative_funding, confirmation_depth)) = self.pending_funding.iter()
+				.find(|funding| funding.0.funding_txid() == txid)
+			{
+				debug_assert!(self.funding_spend_confirmed.is_none());
+				debug_assert!(
+					!self.onchain_events_awaiting_threshold_conf.iter()
+						.any(|e| matches!(e.event, OnchainEvent::FundingSpendConfirmation { .. }))
+				);
+
+				let (desc, msg) = if alternative_funding.channel_parameters.splice_parent_funding_txid.is_some() {
+					debug_assert!(tx.input.iter().any(|input| {
+						let funding_outpoint = self.funding.funding_outpoint().into_bitcoin_outpoint();
+						input.previous_output == funding_outpoint
+					}));
+					("Splice", "splice_locked")
+				} else {
+					("RBF", "channel_ready")
+				};
+				let action = if self.no_further_updates_allowed() {
+					if self.holder_tx_signed {
+						", broadcasting post-splice holder commitment transaction".to_string()
+					} else {
+						"".to_string()
+					}
+				} else {
+					format!(", waiting for `{}` exchange", msg)
+				};
+				log_info!(logger, "{desc} for channel {} confirmed with txid {txid}{action}", self.channel_id());
+
+				self.onchain_events_awaiting_threshold_conf.push(OnchainEventEntry {
+					txid,
+					transaction: Some((*tx).clone()),
+					height,
+					block_hash: Some(block_hash),
+					event: OnchainEvent::AlternativeFundingConfirmation {
+						confirmation_depth: *confirmation_depth,
+					},
+				});
+
+				continue 'tx_iter;
+			}
+
 			if tx.input.len() == 1 {
 				// Assuming our keys were not leaked (in which case we're screwed no matter what),
 				// commitment transactions and HTLC transactions will all only ever have one input
@@ -5002,7 +5073,7 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitorImpl<Signer> {
 		let unmatured_htlcs: Vec<_> = self.onchain_events_awaiting_threshold_conf
 			.iter()
 			.filter_map(|entry| match &entry.event {
-				OnchainEvent::HTLCUpdate { source, .. } => Some(source),
+				OnchainEvent::HTLCUpdate { source, .. } => Some(source.clone()),
 				_ => None,
 			})
 			.collect();
@@ -5017,7 +5088,7 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitorImpl<Signer> {
 					#[cfg(debug_assertions)]
 					{
 						debug_assert!(
-							!unmatured_htlcs.contains(&&source),
+							!unmatured_htlcs.contains(&source),
 							"An unmature HTLC transaction conflicts with a maturing one; failed to \
 							 call either transaction_unconfirmed for the conflicting transaction \
 							 or block_disconnected for a block containing it.");
@@ -5064,6 +5135,21 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitorImpl<Signer> {
 					self.funding_spend_confirmed = Some(entry.txid);
 					self.confirmed_commitment_tx_counterparty_output = commitment_tx_to_counterparty_output;
 				},
+				OnchainEvent::AlternativeFundingConfirmation { .. } => {
+					// An alternative funding transaction has irrevocably confirmed. Locate the
+					// corresponding scope and promote it if the monitor is no longer allowing
+					// updates. Otherwise, we expect it to be promoted via
+					// [`ChannelMonitorUpdateStep::RenegotiatedFundingLocked`].
+					if self.no_further_updates_allowed() {
+						let funding_txid = entry.transaction
+							.expect("Transactions are always present for AlternativeFundingConfirmation entries")
+							.compute_txid();
+						debug_assert_ne!(self.funding.funding_txid(), funding_txid);
+						if let Err(_) = self.promote_funding(funding_txid) {
+							log_error!(logger, "Missing scope for alternative funding confirmation with txid {}", entry.txid);
+						}
+					}
+				},
 			}
 		}
 
diff --git a/lightning/src/ln/channel.rs b/lightning/src/ln/channel.rs
@@ -6816,6 +6816,11 @@ where
 			);
 		}
 
+		let confirmation_depth = self
+			.context
+			.minimum_depth(pending_splice_funding)
+			.expect("ChannelContext::minimum_depth should be set for FundedChannel");
+
 		log_info!(logger, "Received splice initial commitment_signed from peer for channel {} with funding txid {}",
 			&self.context.channel_id(), pending_splice_funding.get_funding_txo().unwrap().txid);
 
@@ -6826,6 +6831,7 @@ where
 				channel_parameters: pending_splice_funding.channel_transaction_parameters.clone(),
 				holder_commitment_tx,
 				counterparty_commitment_tx,
+				confirmation_depth,
 			}],
 			channel_id: Some(self.context.channel_id()),
 		};
